Windows Sysmon Process Dashboard

Working with a customer I started this dashboard to give a high level overview of Windows Sysmon data.  I have been evolving the dashboard in my home environment and will take any feedback to improve the effectiveness of this dashboard.

First is getting sysmon data into your splunk environment.  My home computers are running Windows 10 home edition (i know, need to upgrade to pro) and needed to install/configure sysmon.

I first downloaded sysmon from the Microsoft sysinternals suite: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Next I installed the Splunk Add-on for Microsoft Sysmon: https://splunkbase.splunk.com/app/1914/

Found the following presentation from Splunk .conf2017 that covered using SwiftOnSecurity’s config as a baseline and how the presenter modified it to meet their needs: https://conf.splunk.com/files/2017/slides/effectively-enhancing-our-soc-with-sysmon-powershell-logging-and-machine-learning-to-detect-and-respond-to-todays-threats.pdf

Here is SwiftOnSecurity’s GitHub site that includes a Sysmon configuration file for everybody to fork and tutorial/guide for Sysmon setup: https://github.com/SwiftOnSecurity/sysmon-config

Also here is another presentation around sysmon, SwiftOnSecurity and even filter examples: https://sector.ca/wp-content/uploads/presentations18/Morin_Sysmon_2019-16-9.pdf

Just released from Malware Archaeology is this “Windows Sysmon Logging Cheat Sheet” that is intended to help you understand where Microsoft’s FREE Sysinternals Sysmon agent can supplement and enhance your Windows Logging, NOT replace it. https://www.malwarearchaeology.com/s/Windows-Sysmon-Logging-Cheat-Sheet_Aug_2019-pthx.pdf

With sysmon configuration completed next I pushed an updated inputs.conf to all of my windows machines.  Example of the inputs.conf sysmon entry:

The queries in the dashboard are using index=sysmon since that is where I store my sysmon data, adjust as needed.

I have also built a lookup table called process_path.csv to filter out validated process_paths which is enable or disable by radio buttons at the top of the dashboard.  My suggestion would be to build you own process_path.csv file either by the outputlookup command then validate the output or manually create the csv.  Another helpful app for editing lookup files that I have installed is Lookup File Editor app:https://splunkbase.splunk.com/app/1724/

The 2nd panel includes a dynamic field selection input that will show you all the fields available which includes using an eval to populate a “time” field and iplocation to give you more information on destination IP’s when available.

Share This:

Leave A Comment?